Voice-messaging security

To configure security for Cisco Unified Communications Manager voice-messaging ports and Cisco Unity devices that are running SCCP or Cisco Unity Connection devices that are running SCCP, you choose a secure device security mode for the port. If you choose an authenticated voice mail port, a TLS connection opens, which authenticates the devices by using a mutual certificate exchange (each device accepts the certificate of the other device). If you choose encrypted voice mail port, the system first authenticates the devices and then sends encrypted voice streams between the devices.

In this chapter, the use of the term "server" refers to a Cisco Unified Communications Manager server. The use of the phrase "voice-mail server" refers to a Cisco Unity server or to a Cisco Unity Connection server.

Voice-messaging security setup tips

Consider the following information before you configure security:

You must run Cisco Unity 4.0(5) or later with this version of Cisco Unified Communications Manager.

You must run Cisco Unity Connection 1.2 or later with this version of Cisco Unified Communications Manager.

For Cisco Unity, you must perform security tasks by using the Cisco Unity Telephony Integration Manager (UTIM); for Cisco Unity Connection, you must perform security tasks by using Cisco Unity Connection Administration. For information on how to perform these tasks, refer to the applicable Cisco Unified Communications Manager integration guide for Cisco Unity or for Cisco Unity Connection.

In addition to the procedures that are described in this chapter, you must use the certificate management feature in Cisco Unified Communications Operating System to save the Cisco Unity certificate to the trusted store. For more information on this task, refer to the Cisco Unified Communications Operating System Administration Guide. After you copy the certificate, you must restart the Cisco CallManager service on each Cisco Unified Communications Manager server in the cluster.

If Cisco Unity certificates expire or change for any reason, use the certificate management feature in the Cisco Unified Communications Operating System Administration Guide to update the certificates in the trusted store. The TLS authentication fails when certificates do not match, and voice messaging does not work because it cannot register to Cisco Unified Communications Manager.

When configuring voice-mail server ports, you must select a device security mode.

The setting that you specify in the Cisco Unity Telephony Integration Manager (UTIM) or in Cisco Unity Connection Administration must match the voice-messaging port device security mode that is configured in Cisco Unified Communications Manager Administration. In Cisco Unity Connection Administration, you apply the device security mode to the voice-messaging port in the Voice Mail Port Configuration window (or in the Voice Mail Port Wizard).

Tip

If the device security mode settings do not match, the voice-mail server ports fail to register with Cisco Unified Communications Manager, and the voice-mail server cannot accept calls on those ports.

Changing the security profile for the port requires a reset of Cisco Unified Communications Manager devices and a restart of the voice-mail server software. If you apply a security profile in Cisco Unified Communications Manager Administration that uses a different device security mode than the previous profile, you must change the setting on the voice-mail server.

You cannot change the Device Security Mode for existing voice-mail servers through the Voice Mail Port Wizard. If you add ports to an existing voice-mail server, the device security mode that is currently configured for the profile automatically applies to the new ports.

Set up secure voice-messaging port

The following procedure provides the tasks used to configure security for voice-messaging ports.

Procedure

Step 1

Verify that you installed and configured the Cisco CTL Client for Mixed Mode.

Step 2

Verify that you configured the phones for authentication or encryption.

Step 3

Use the certificate management feature in Cisco Unified Communications Operating System Administration to copy the Cisco Unity certificate to the trusted store on the Cisco Unified Communications Manager server; then restart the Cisco CallManager service.

For more information, see the Cisco Unified Communications Operating System Administration Guide and Cisco Unified Serviceability Administration Guide.

Tip

Activate the Cisco CTL Provider service on each Cisco Unified Communications Manager server in the cluster; then restart the Cisco CallManager service on all servers.

Apply security profile to single voice-messaging port

To apply a security profile to a single voice-messaging port, perform the following procedure.

This procedure assumes that you added the device to the database and installed a certificate in the phone, if a certificate does not already exist. After you apply a security profile for the first time or if you change the security profile, you must reset the device.

Find the voice-messaging port, as described in the Cisco Unified Communications Manager Administration Guide.

Step 2

After the configuration window for the port displays, locate the Device Security Mode setting. From the drop-down list box, choose the security mode that you want to apply to the port. The database predefines these options. The default value specifies Not Selected.